Skip to content

Releases: northpolesec/santa

2026.2

03 Mar 17:52
@mlw mlw
2026.2
ce791aa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026.2 Latest
Latest

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 The Santa package now includes two new binaries: a network extension daemon (com.northpolesec.santa.netd) and a helper utility for telemetry export (sleigh). Both are intended for use by Workshop customers only.

Fixed

❗ Fixed issue where the Santa UI could appear to open smaller than needed and then "snap" to the correct size
❗ Fixed a rare UI state race condition that could inadvertently cause the About dialog to be displayed when it shouldn't
❗ Terminal prompts are no longer hidden when an application executed from a terminal is blocked and Santa writes information to the TTY
❗ Fixed regression where custom URLs or EventDetailURL values of "null" were not appropriately removing the button from the UI

Changed

↔️ Santa now properly registers for notifications on startup. Unless the system has a Notifications profile installed, users may see a system banner notifying them that Santa would like to send notifications. No new or additional notifications exist.
↔️ Compiler rules now also track file clone events for tracking executable output in order to create more comprehensive transitive rules. This is commonly seen with newer rust/cargo toolchains.
↔️ santactl doctor feedback around sync availability is now significantly more accurate, with fewer false positives
↔️ Terminology around "USB blocking" has been standardized to "removable media blocking" to better reflect the full range of devices Santa handles, such as SD cards, Thunderbolt drives, and NVMe devices

Added

➕ CEL policies now have access to the executing binary's signing ID during evaluation, enabling capabilities such as wildcard matching
➕ Added support for the FileAccessEventDetailURL and FileAccessEventDetailText configuration keys, used as fallbacks when there is an FAA block and no per-rule URL or text is provided
➕ Execution events sent to the sync server now indicate whether or not the applied rule was a static rule
➕ A CEL playground is now available for testing and validating CEL rules
➕ Added French (France), French (Canada), and Spanish translations
Workshop customers: Removable media block events are now uploaded during sync and viewable in Workshop
Workshop customers: Telemetry filtering expressions allow you to redact/filter telemetry before being exported
Workshop customers: CEL rules can now act upon the process tree when making a decision
Workshop customers: (BETA) Santa can now report network telemetry

Santa documentation can be found at northpole.dev.

What's Changed

Read more

Contributors

russellhancox, mlw, and 3 other contributors
Assets 5
Loading

v2026.1

29 Jan 20:51
@mlw mlw
2026.1
8909082
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2026.1

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 macOS 13 (Ventura) is no longer supported.

Fixed

❗ Instigating process information is no longer missing for File Access rule violations committed by processes that started before Santa was running
❗ Fixed issue that prevented blocking mounts of certain external media types
❗ Blocked USB mounts are now logged in the telemetry stream
❗ Fixed overzealous caching of blocked execution events if the event was unable to be uploaded immediately due to network issues
❗ Removed unintentional escape codes in santactl fileinfo --json output

Added

➕ Co-branding is now supported, allowing admins to configure their company name or logo to be displayed on Santa UI dialogs
➕ Santa now has a menu item! This has functionality to trigger a sync and reset any silenced block notifications. For Workshop customers, you can also control temporary monitor mode and see how much time is remaining. Users can turn this off or on from the "About" dialog. Admins can configure this to be off by default by setting the EnableMenuItem configuration key to false.
➕ The santactl fileinfo command now supports a --verify flag to display code signature validation result for each slice of the binary as well as a security assessment via spctl
Workshop customers: Network shares can now be blocked from mounting and exception lists can be configured (macOS 15+)
Workshop customers: Push command support to terminate arbitrary processes
Workshop customers: You can now use CEL rules to require that a user performs TouchID

Santa documentation can be found at northpole.dev.

What's Changed

  • Block network mounts pt1 by @mlw in #704
  • Add CEL rule to stop users from taking and mounting time machine snapshots by @pmarkowsky in #706
  • Data structures for blocking network mounts by @mlw in #705
  • Kill command impl by @mlw in #702
  • Remove stored events from the backoff cache when event upload fails by @mlw in #709
  • ci: Fix localization.py to exit with a code by @russellhancox in #710
  • santad: Add REQUIRE_TOUCHID option to CELv2 by @russellhancox in #707
  • UI support for blocking network share mounts by @mlw in #708
  • Backfill decision cache on startup by @mlw in #712
  • Telemetry for blocked USB and Network mounts by @mlw in #711
  • Update docs deps by @mlw in #714
  • Drop macOS 13 support by @mlw in #716
  • Fix: Remove the unintentional inclusion of tty control codes in santactl fileinfo --json output by @pmarkowsky in #717
  • Santa command HMAC verification by @mlw in #715
  • Use appropriate CEL v1/v2 evaluator by @mlw in #718
  • Restrict network mount blocking to macOS 15+ by @mlw in #720
  • Remove APNS support by @russellhancox in #721
  • Upload stored network mount events by @mlw in #713
  • Fix issue #719 by @pmarkowsky in #723
  • gui: Add menu item by @russellhancox in #722
  • Allow external repos to depend on Santa by @mlw in #726
  • build: Disable signing timestamps in bazel by @russellhancox in #725
  • gui: Allow users to show/hide menu item by @russellhancox in #727
  • Stub module to allow build time injection of network capabilities by @mlw in #728
  • Change version target visibility by @mlw in #729
  • sync: Fix populating timestamp field for TMM audit events by @russellhancox in #732
  • Support manual installation of santanetd by @mlw in #731
  • santad: Add telemetry for TouchID/hold-and-ask execution events by @russellhancox in #730
  • Add network mount block config to santactl status by @mlw in #734
  • Support detecting first launch after boot by @mlw in #733
  • Cobranding support by @mlw in #735
  • Add 'Reset Silenced Notifications' menu option by @russellhancox in #737
  • santad: Add REQUIRE_TOUCHID_SILENT to CELv2 by @russellhancox in #738
  • Handle network extension settings from sync server by @mlw in #736
  • docs: Force-update lodash by @russellhancox in #739
  • santad: Drop pre-Monterey printer proxy support by @russellhancox in #740
  • Content filter and XPC channel with network extension setup/configuration by @mlw in #741
  • Rename SNTNetworkExtensionSettings by @mlw in #743
  • celv2: Add require_touchid{,_only}_with_cooldown_minutes functions by @russellhancox in #742
  • Add more NATS error logging by @pmarkowsky in #744
  • Optional code signature verification support in santactl fileinfo by @mlw in #745
  • santactl/doctor: Handle no user being logged in, log machine ID/owner by @russellhancox in #746
  • Fix menu item UI edge cases by @mlw in #747
  • Add lefthook config by @russellhancox in #748
  • gui: deny execution of hold&ask events immediately if unavailable by @russellhancox in #749

Full Changelog: 2025.12...2026.1

Contributors

russellhancox, mlw, and pmarkowsky
Loading

v2025.12

17 Dec 19:44
@mlw mlw
2025.12
ef6761e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.12

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Santa will be ending support for macOS 13 (Ventura) in January 2026.

Fixed

❗ Rules received from a sync server with CEL policies using features not supported by the current version of Santa will no longer cause syncing to fail.
❗ Addressed a memory leak in the santasyncservice process.
❗ Window icons are no longer blurry

Changed

↔️ The name for Santa as shown in the macOS settings Privacy & Security Full Disk Access pane is now more descriptive: "Santa Endpoint Security Extension".
↔️ Support for the EnableForkAndExitLogging configuration key has been removed and configurations should migrate to using the Telemetry key.
↔️ The target field in FileAccess telemetry messages emitted by FAA rule violations was switched to be a FileInfo type. This is a wire-, forward-, and backward-compatible protobuf change that now allows consumers to see stat(2) info.

Added

[Workshop Customers] On-Demand Monitor Mode! Admins can configure policies for hosts that allow users to temporarily enter Monitor Mode as needed for a defined period of time. Hosts will automatically revert to Lockdown Mode once the time expires. This enables a much smoother experience for users like developers that need to constantly build & run new binaries without having machines carry permissions for longer than necessary.
➕ CEL policies have access to two new fields which allow for more dynamic and flexible rules: the effective user ID (euid) and current working directory (cwd).
EventDetailURL and EventDetailText can now be set by the sync server.
santactl rule can now be used to check if a given path is covered by a Data FAA rule.
santactl status now displays the current sync interval.
➕ More comprehensive anti-tamper protections.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation can be found at northpole.dev.

What's Changed

  • ci: Stop running on macos-13, fix lint.sh by @russellhancox in #634
  • Adopt mode transition sync protocol changes by @mlw in #626
  • Remove unnecessary legacy wrapper to get the IO main port by @mlw in #636
  • ObjC timer wrapper. Allow controlling timer restarts. by @mlw in #635
  • Some minor cleanup in santactl headers by @mlw in #637
  • santactl command to temporarily enter Monitor Mode if eligible by @mlw in #638
  • Reenter temporary Monitor Mode on startup if time remaining by @mlw in #639
  • build(deps): bump js-yaml from 3.14.1 to 3.14.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #641
  • Rename EnableNATS to EnablePushNotifications by @pmarkowsky in #632
  • Move pinning code to common where it belongs by @mlw in #643
  • santactl status now displays temporary Monitor Mode time remaining by @mlw in #640
  • Support EventDetailURL and EventDetailText in the sync protocol by @mlw in #642
  • Add localization for authorizing temporary monitor mode by @mlw in #644
  • disable v2 check for dev builds by @tburgin in #645
  • Fix issue with bundle hash event URLs by @mlw in #646
  • Improved checks on mode transition policies by @mlw in #647
  • Replace use of internal FieldDescriptorLite type with the public FieldDescriptor. by @dzonder in #648
  • Support exporting FAA rules in debug builds by @mlw in #650
  • Add sync intervals to santactl status with a human-readable output by @pmarkowsky in #649
  • Fix santactl push notification status with NPS Push Service by @pmarkowsky in #652
  • docs: Add FAA configuration docs by @russellhancox in #651
  • Add CEL rules to prevent enabling SSH and Remote Apple Events by @pmarkowsky in #653
  • Simplify the cookbook rules for systemsetup by @pmarkowsky in #654
  • docs: Switch CEL cookbook to use AddedBadge by @russellhancox in #655
  • Support checking if path is covered by a Data FAA rule by @mlw in #656
  • docs: Update js-yaml dep by @russellhancox in #657
  • deps: Update several bazel dependencies by @russellhancox in #659
  • Add santa command handler by @pmarkowsky in #631
  • Set a more readable name for the FDA pane by @mlw in #661
  • Refactor temporary monitor mode logic by @mlw in #660
  • docs: Update dependencies by @russellhancox in #663
  • docs: Delete unused package-lock.json by @russellhancox in #665
  • Add rules to lockdown Docker. by @pmarkowsky in #666
  • santactl/status: Move sync interval field under current sync times by @russellhancox in #664
  • Add stored event types for TMM audit events by @mlw in #662
  • Remove the .png from the docker example by @pmarkowsky in #667
  • Make Timer thread safe and synchronize TemporaryMonitorMode ops by @mlw in #669
  • Adopt flags to reduce Bazel memory footprint in continuous builds by @mlw in #670
  • Split continuous testing action runs by @mlw in #671
  • build(deps): bump node-forge from 1.3.1 to 1.3.2 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #673
  • Emit audit events from TemporaryMonitorMode by @mlw in #672
  • Fix: Switch to using EnableForkAndExitLogging by @pmarkowsky in #674
  • Add support for time duration strings. by @pmarkowsky in #675
  • Temporary Monitor Mode audit events in sync protocol by @mlw in #676
  • santad: Add cwd and euid to CEL context by @russellhancox in #678
  • docs: Update CEL docs to mention euid/cwd fields by @russellhancox in #679
  • Switch target field in FileAccess messages to be FileInfo type by @mlw in #680
  • docs: Remove webpack-dev-server override by @russellhancox in #681
  • Fix some memory leaks in the sync service by @mlw in #683
  • Fix issue in FAA logging that could cause a crash (unreleased) by @mlw in #684
  • santactl/doctor: Improve checking of sync availability by @russellhancox in #682
  • Fix blurry window icons. by @mlw in #685
  • Improved multi monitor support by @mlw in #686
  • Placeholder to handle kill command push notification by @mlw in #688
  • Add support for proc suspend/resume events by @mlw in #690
  • On by default - suspend/resume by @mlw in #691
  • sync: Clear RepeatedPtrFields in EventUpload instead of replacing by @russellhancox in #689
  • santasyncservice: fix crash during telemetry upload by @tburgin in #687
  • Remove message copies during Event Upload message creation by @mlw in #692
  • Helper code sign identifier utilities by @mlw in #693
  • Add classes to support kill command by @mlw in #694
  • Fix rule download issue where success/failure was improperly determined by @mlw in #695
  • Adopt layered errors for Santa Commands by @mlw in #696
  • Decode kill command and encode response by @mlw in #697
  • Add santactl command command by @mlw in #698
  • Remove deprecated EnableForkAndExitLogging config key by @mlw in #699
  • Fix build issue when DEBUG isn't defined by @...
Read more

Contributors

russellhancox, mlw, and 4 other contributors
Loading

v2025.11

06 Nov 17:57
@mlw mlw
2025.11
c581695
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.11

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Ready for Tahoe. This version has been validated on macOS Tahoe 26.0.

📣 Santa will be ending support for macOS Ventura in January 2026.

Fixed

❗ Changes to push notification sync intervals now take effect immediately instead of waiting until the next cycle.

Changed

↔️ The sync service is restarted when push notifications are enabled/disabled so the new configuration can take effect.
↔️ If Santa is unable to communicate with the sync server when push notifications are enabled, it will reschedule the next attempt for the smaller of either 10 minutes or the current push notification full sync interval.
↔️ Sync intervals are now scheduled with a 5 second leeway (previously, there was an allowed variance of up to 50% of the sync interval time). This will make sync intervals more consistent.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • New type for handling on demand monitor mode configuration by @mlw in #624
  • NATS based push notifications for Sync V2 by @pmarkowsky in #620
  • Make sync interval changes apply immediately by @pmarkowsky in #625
  • Fix sync timing params by @mlw in #627
  • Improved rescheduling on sync failures by @mlw in #629
  • Bounce sync service when push notification config changes by @mlw in #630

Full Changelog: 2025.10...2025.11

Contributors

mlw and pmarkowsky
Loading

v2025.10

30 Oct 20:21
@mlw mlw
2025.10
1bfef5f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.10

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Ready for Tahoe. This version has been validated on macOS Tahoe 26.0.

📣 Santa will be ending support for macOS Ventura in January 2026.

📣 This release introduces a new private sync protocol that includes a limited set of features that can only be used by Workshop customers. The private protocol allows us to iterate more rapidly on certain features without the constraint of maintaining backward compatibility across all existing sync servers. This flexibility will help us deliver improvements faster and respond more quickly to customer needs.

We remain committed to the public sync protocol and will continue maintaining and improving it. Many new features will still be developed in the public protocol, and where feasible, we plan to migrate features from the private protocol back to the public one over time. Read more about this on the North Pole Security blog.

Fixed

❗ Loading an FAA policy with one or more invalid rules no longer causes the entire policy to fail to load

Changed

↔️ Allowed executions and audit-only FAA rule violations that get sent in the EventUpload phase of syncing are now deduplicated across a 4 hour window instead of being tied to the sync interval. Blocked executions and denied FAA rule accesses still adhere to previous semantics.
↔️ FAA rules now support the same TeamID:SigningID syntax for SigningID keys that is supported by the SIGNINGID rule type in execution rules.

Added

Workshop customers: FAA rules can now be managed via the sync protocol.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • docs: Add OS support matrix by @russellhancox in #596
  • Support FAA rules with TID:SID notation by @mlw in #597
  • Add FAA rule counts and rule hashes to sync protocol by @mlw in #598
  • build: Split non-bazel deps into separate BUILD files by @russellhancox in #599
  • Handle FAA rule data source transitions. Cleanup status output. by @mlw in #600
  • BETA FAA rule download by @mlw in #603
  • Allow loading FAA policies that are partially invalid by @mlw in #602
  • Inject dates in monarch json tests in order to remove mocks by @mlw in #604
  • Add FAA rule for protecting Chrome extensions to the cookbook by @pmarkowsky in #601
  • Add a rule to stop obvious timestomping of launch daemons and agents by @pmarkowsky in #605
  • docs: Update screenshots with updated logo by @russellhancox in #606
  • feat: Add Google Analytics and Plausible tracking scripts by @statico in #607
  • Add Cookbook rule for stopping osascript asking for passwords. by @pmarkowsky in #608
  • pkg: Add version number to pkg by @russellhancox in #609
  • Migrate stats state plist to be more generic by @mlw in #610
  • docs: Split cookbook CEL into multiline by @russellhancox in #612
  • Support timer restarts, change how startup delay works by @mlw in #611
  • GitHub issue templates by @mlw in #473
  • Pin NPS domains and cert PEMs by @mlw in #613
  • Bump bazel and dep versions by @mlw in #615
  • Handle v1 and v2 sync protocols by @mlw in #616
  • Simplify templates using non-type parameters by @mlw in #617
  • Silence deprecation warnings within protobuf dependency by @mlw in #618
  • Support aliases and hyphens/underscores for santactl commands by @mlw in #619
  • Improved error handling/logging for received rules and StaticRules by @mlw in #621
  • Fix FAA rule counts by @mlw in #622
  • Add a backoff cache for unactionable stored events by @mlw in #623

Full Changelog: 2025.9...2025.10

Contributors

russellhancox, statico, and 2 other contributors
Loading

v2025.9

29 Sep 19:29
@mlw mlw
2025.9
bff8233
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.9

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Ready for Tahoe. This version has been validated on macOS Tahoe 26.0.
📣 Santa will be ending support for macOS Ventura in January 2026.

Fixed

❗ Fixed issue when using protobuf logging where the very first batch of messages on startup might be missing the type_url, which could affect parsing

Changed

↔️ Rule output for santactl fileinfo is more helpful, will now state if a rule would have matched but was ignored because the binary being evaluated was signed with a development certificate
↔️ FileAccessPolicyUpdateIntervalSec configuration is now changeable without a restart

Added

➕ FAA block events are now uploaded as part of the sync protocol, similar to execution events.
➕ FAA log rate limiting parameters are now configurable
➕ Signing time information has been added to telemetry logs

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • Add a make target for making dev releases by @pmarkowsky in #561
  • docs: Add PayloadUUID to generated payload by @russellhancox in #564
  • docs: Add note about non removable system extensions by @russellhancox in #567
  • sync: Add logging when private key is inaccessible by @russellhancox in #568
  • Support FAA block events in the sync EventUpload phase by @mlw in #569
  • Fix unset type url for the Any protobuf message in the first batch by @mlw in #571
  • Add FAA decision to event upload requests by @mlw in #572
  • Upload FAA blocks to sync server immediately by @mlw in #573
  • Add signing time info to telemetry by @mlw in #575
  • docs: Update docs dependencies by @russellhancox in #576
  • Add macos-26 runners to matrix by @pmarkowsky in #577
  • Fix version issue with last events table upgrade by @mlw in #578
  • Move WatchItems types to common by @mlw in #579
  • Document CEL a little more in the CEL Cookbook by @statico in #580
  • Parse FAA rules in rule download phase by @mlw in #581
  • Support sending FAA rules over XPC from sync service to daemon by @mlw in #583
  • Add FAA rules received and processed counts by @mlw in #584
  • Support changing FAA rate limiting variables via configuration by @mlw in #585
  • Add new table to the rules database for file access rules by @mlw in #586
  • Validate FAA rules on when received via sync server by @mlw in #588
  • Load FAA rules from database at startup by @mlw in #589
  • Attempt to repair corrupted databases on startup by @mlw in #590
  • Fix telemetry export settings name, make them changeable at runtime by @mlw in #591
  • event update: use repeated process for faa events by @tburgin in #587
  • Stop copying data unnecessarily when iterating DB results by @mlw in #593
  • Make fileinfo output helpful when rule was ignored due to dev signed code by @mlw in #594
  • Timer improvements, allow FileAccessPolicyUpdateIntervalSec to be updated dynamically by @mlw in #592

Full Changelog: 2025.8...2025.9

Contributors

russellhancox, statico, and 3 other contributors
Loading

v2025.8

28 Aug 19:36
@mlw mlw
2025.8
4687c98
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.8

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready. Come learn more at northpole.security.

📣 Ready for Tahoe. This version has been validated on the latest macOS Tahoe beta (beta 8).

Fixed

❗ A very rare crash that could occur when creating a transitive rule for a new file

Changed

↔️ santactl fileinfo timestamps are now displayed in ISO8601 format, making them suitable to copy/paste into CEL expressions
↔️ Santa's anti-tamper signal protection no longer blocks signal 0 to conform to documented expectations that allow programs to check for PID validity

Added

➕ Support for CEL string extensions
➕ The File Access Authorization dialogs now have a "Copy Details" button
➕ (BETA) Workshop, our official sync server for Santa, can now enable Santa telemetry export to the cloud (AWS S3 or GCP GCS) and provides an easy to use interface to query Santa’s full set of EDR telemetry.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

  • Clean up citation and add extra location for Spotlight importers by @pmarkowsky in #511
  • project: Check-in git pre-push hook to lint before pushing by @russellhancox in #510
  • docs: Add Slack Cookies FAA policy by @russellhancox in #512
  • sync: Ensure validateBlock is correctly used in sync test by @russellhancox in #505
  • build: Update several bazel modules by @russellhancox in #507
  • Make Spool a template class on type of batcher member by @mlw in #513
  • santad: Stop logging failure to create signing ID for adhoc binaries by @russellhancox in #514
  • Add note to docs about rule requirements for dev signed code by @mlw in #516
  • docs: Fix anchor links, increase h4 font size by @russellhancox in #518
  • docs: Add rule layering section back to the docs by @pmarkowsky in #517
  • santad: Don't block 0 signal, log what signal is sent by @russellhancox in #520
  • Support XXH3 64bit by @mlw in #522
  • Support a new streaming protobuf format by @mlw in #519
  • Remove unnecessary build macro by @mlw in #523
  • Cleanup spool tmp dir on fsspool construction by @mlw in #525
  • Update santactl printlog to support protobufstream formatted logs by @mlw in #526
  • Add binary digest method to SNTXxhash by @mlw in #527
  • telemetry export: prepare for signed URL export by @tburgin in #521
  • Add string extensions to CEL evaluator by @pmarkowsky in #524
  • Add digest to protostream encoding by @mlw in #529
  • docs: Add trailingSlash config by @russellhancox in #532
  • docs: Add llms.txt by @statico in #531
  • telemetry export: post to cloud bucket by @tburgin in #528
  • ci: Merge test and build phases by @russellhancox in #533
  • ci: Move flaky test workflow to 3am EST by @russellhancox in #535
  • ci: Add remote cache by @russellhancox in #537
  • telemetry: stream multiple files by @tburgin in #536
  • santad: Add sending process to tamper resistance logs by @russellhancox in #538
  • docs: Temporarily use NPS docusaurus-plugin-llms plugin by @statico in #539
  • Pin all actions in workflows by @russellhancox in #540
  • Compressed protostream support by @mlw in #541
  • NSData Gzip Decompression, stream compression verification by @mlw in #542
  • Move TemporaryFile class to a standalone ScopedFile class by @mlw in #543
  • tel export: fix http status log by @tburgin in #545
  • santactl/fileinfo: Change timestamps to ISO8601 by @russellhancox in #546
  • Support compressed stream in santactl printlog by @mlw in #544
  • santad: Handle rare compiler controller crash by @russellhancox in #547
  • Add Single Shot mode to Timer mixin class by @mlw in #548
  • build(deps): bump mermaid from 11.6.0 to 11.10.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #549
  • Support export batches by @mlw in #550
  • Expose config to enable telemetry export by @mlw in #552
  • Add Copy Details button to the FAA block dialog by @mlw in #554
  • Cookbook: Update slack rules to better handle helper binaries by @pmarkowsky in #553
  • telemetry export: remove extra dot from file extension by @tburgin in #557
  • telemetry: fix content type by @tburgin in #559
  • Ensure to ack files even when all spool files are unsupported by @mlw in #558
  • Add additional prod cert OID by @mlw in #560

Full Changelog: 2025.7...2025.8

Contributors

russellhancox, statico, and 4 other contributors
Loading

v2025.7

31 Jul 13:51
@mlw mlw
2025.7
728a99b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.7

Notes

Announcements

🎉 Santa has a new Workshop! North Pole Security is excited to announce the release of Workshop, an official sync service specifically designed to deeply integrate with Santa. It is fully featured, scalable, and enterprise ready.

📣 Ready for Tahoe. This version has been validated on the latest Tahoe beta (beta 4) and includes some small fixes to keep things running smoothly on the upcoming macOS Tahoe release.

Fixed

❗ A minor memory leak could occur when evaluating executions of binaries that were not validly signed
❗ Unable to immediately block a binary that was previously executed and allowed on due to cache (issue on macOS Tahoe only)
❗ Execution telemetry could, on very rare occasions, have an improper reason code logged

Changed

↔️ Enabling APNS can now be done dynamically, a restart is no longer required
↔️ Icons have been updated to coincide with North Pole Security branding
↔️ santactl fileinfo has been updated with better detection of binaries signed with development certs so that rule information returned more accurately matches what would be selected at runtime

Added

➕ The sync protocol now contains information in preflight and postflight stages that allows sync servers to detect rule drift, allowing them to take corrective action

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

What's Changed

Full Changelog: 2025.6...2025.7

Contributors

russellhancox, statico, and 3 other contributors
Loading

v2025.6

30 Jun 02:22
@mlw mlw
2025.6
6cba1f5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.6

Notes

Important

The binaries initially uploaded for this release only contained the arm64 slice. We have updated the binaries to be universal and also include the x86_64 slice as well. You may need to re-download the latest binaries if deploying to Intel Macs.

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

Announcements

📣 (BETA) Common Expression Language (CEL) has been added as a supported policy type! This is a powerful new feature that expands what can be expressed in a rule. Please see our CEL documentation for more details and examples, as well as the Rule schema for information on how to populate the expression.

  • North Pole Security Workshop customers have access to a fully integrated CEL evaluator and playground in the rule editor.

📣 We've created a Config Generator to help admins craft Santa configuration!

Fixed

❗ Overzealous caching of executables matching compiler rules could cause transitively created executables to not have rules automatically created
❗ On rare occasions, and only when transitive rules or standalone mode were enabled, Santa could potentially exclude some events from the EventUpload phase of syncing
❗ A very rare crash could occur if an XPC connection went invalid before it finished being established
❗ FAA rules with paths that contained glob characters could cause a memory leak

Changed

↔️ santactl status output, including JSON output via the --json flag, has been slightly changed to provide better data grouping and more consistent output across the groups
↔️ Log messages have been more tightly integrated into Apple's Unified Logging System, meaning the EnableDebugLogging configuration key is no longer needed. Debug logs can be viewed along with other log messages using appropriate arguments with the log(1) command.
↔️ Timestamps in santactl fileinfo now default to UTC. This can be changed to use the local system timezone by using the --localtz flag.
↔️ More Santa files are now included in the tamper resistance protections, including the rules and events databases and the sync state plist.
↔️ Rule information returned by santactl fileinfo and santactl rule now shows the matched rule, not the decision, since this is often heavily influenced by runtime information that isn't available during a static check
↔️ Links in the UnknownBlockMessage and BannedBlockMessage configuration keys that are displayed when an execution is blocked are now clickable

Added

➕ (BETA) Rules can now include CEL policies! See our CEL documentation for more details and examples.
➕ Santa now emits distributed notifications when FAA policy violations occur, similar to the notifications that are sent when executions are blocked.
➕ A clean sync can now be initiated from the "About" UI dialog by holding the Option key when clicking the "Sync" button
➕ Executable signing timestamps were added to sync preflight messages and santactl fileinfo output
➕ Paths for Proc FAA rules now also support glob characters in the same way as Data FAA rules.
➕ New checks were added to santactl doctor to look for potential sync server certificate and communication issues
➕ Primary user groups can now be defined by the MachineOwnerGroups or MachineOwnerGroupsKey configuration key. This value is included in preflight requests to allow sync servers to improve rule targeting.

What's Changed

Full Changelog: 2025.5...2025.6

Contributors

russellhancox, mlw, and 2 other contributors
Loading

v2025.5

28 May 18:30
@mlw mlw
2025.5
83c17e5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2025.5

Notes

If you're migrating from Google Santa, please see the Migration Guide for details on how to upgrade.

Santa documentation has undergone a complete overhaul and can be found at northpole.dev.

Announcements

📣 macOS 12 is no longer supported
📣 We've created a Config Generator to help admins craft Santa configuration!
📣 Santa can now collect basic, non-identifying stats on an opt-in basis by setting the EnableStatsCollection configuration key to true. See our Stats documentation for complete details. Please consider opting in your organization to help us better maintain Santa for the whole community!

Fixed

❗ ClientMode change user notifications had empty messages
❗ Rule comments were being dropped when importing rules via santactl rule --import
❗ Bundle hashing could occur in the background even if not configured by the sync server

Changed

↔️ Glob expansion in FAA rules has been made more powerful. When possible, Santa will now opportunistically attempt to apply FAA rules with path globs to sub paths that might not yet exist. This replaces the previous behavior that worked like shell expansion and would only apply to paths that existed each time rules were reevaluated.
↔️ Changes to MachineID configuration now apply dynamically and don't require restarting the daemon
↔️ The sync server's EnableBundles setting is now stored with other sync variables so that the setting is maintained across daemon/system restarts and applied before the first Santa sync

Added

➕ The machine's SIP status has been added to the sync protocol's preflight requests
➕ Santa's "About" dialog has been redesigned and made more useful. Users can now trigger a sync or drag-and-drop an application to capture file info without having to interact with the command line. Drag and drop is also supported on the Dock icon if it is currently showing.
➕ Added the eventupload command to santactl to capture event details for a given application and send to the configured sync server. This is primarily useful for admins that want to ensure full application details exist on the server for applications that don't have an associated block rule and would not otherwise capture this information automatically.

What's Changed

  • docs: Replace docs with new docusaurus-based site by @russellhancox in #375
  • build(deps): bump the npm_and_yarn group across 1 directory with 3 updates by @dependabot in #376
  • Fixed up background apps plist example by @sysophost in #378
  • docs: Add algolia config by @russellhancox in #382
  • docs: highlight santa profile content, update sizing by @russellhancox in #381
  • docs: Add simple README by @russellhancox in #383
  • gui: Update about window with new design and default text by @russellhancox in #374
  • gui: Fix mode change notifications by @russellhancox in #380
  • Apply Machine ID config updates in real time by @mlw in #377
  • docs: update UUIDs in example profiles to be different than the old Google Santa profiles by @pmarkowsky in #384
  • Bump builds to C++20 by @mlw in #386
  • Address build issues with C++20 on older OS versions by @mlw in #387
  • sync: Populate sip_status field in Preflight by @russellhancox in #385
  • sync: Handle 'global' push notifications by @russellhancox in #390
  • Add Timer mixin, adopt in Logger class. by @mlw in #388
  • gui: Add 'sync' button to About window by @russellhancox in #389
  • Respect rule comments on import by @mlw in #391
  • build: Disable codesign timestamp for dev builds by @russellhancox in #392
  • Bump Bazel and module versions by @mlw in #396
  • Collect, open, and send telemetry files to sync service for processing by @mlw in #395
  • gui: allow drag & drop on about window or dock icon to get app details by @russellhancox in #398
  • build: Bump minimum macOS version to 13, document the policy by @russellhancox in #399
  • Remove run time and compile time checks for macOS 13 by @mlw in #400
  • Update how MOLXPCConnection tracks connections, vends proxy objects by @mlw in #401
  • FAA glob expansion enhancements by @mlw in #394
  • Standardize bazel module dependency naming style by @mlw in #403
  • gui: change button behavior during hashing by @russellhancox in #404
  • gui: Simplify display of bundle hash progress, animate disappearing by @russellhancox in #405
  • gui: don't show bundle hash view if bundle hashing is not needed by @russellhancox in #407
  • Update telemetry keys in docs by @mlw in #408
  • ci: Stop running on all branches by @russellhancox in #409
  • build(deps): bump estree-util-value-to-estree from 3.3.3 to 3.4.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #411
  • docs: Add the beginning of the config generator by @russellhancox in #412
  • santactl: Fix misleading message from errSecCSInfoPlistFailed by @russellhancox in #413
  • Add EnableBundle sync config to sync state plist by @mlw in #414
  • santactl: add eventupload command by @tburgin in #410
  • bundle service: Adaptive priority by @tburgin in #415
  • gui: Fix and prevent crash formatting signing IDs by @russellhancox in #417
  • gui: Fix accessory/hide handling with multiple windows by @russellhancox in #418
  • gui: Move all activationPolicy changes into AppDelegate by @russellhancox in #419

New Contributors

Full Changelog: 2025.4...2025.5

Contributors

russellhancox, mlw, and 4 other contributors
Loading